Various improvements and fixes around SAML/SCIM#1735
Conversation
I think fixing this involves changing the integration tests only, but I'm not sure about what this means for client behavior. Will check later. |
f5b93cf to
3db41d0
Compare
I saw this locally, but then couldn't reproduce it any more and was hoping it was something about me compiling it wrong. But it looks like it's a real thing. |
SAML auto-provisioning only works if scim is disabled. This commit makes the guard more straight-forward and provides a less confusing error message.
|
Can't reproduce. I could, a few times, but now I can't any more. The evidence is very confusing:
I could only reproduce it on da75bba, not on 46cca3f. I have no hypothesis how the changes in saml2-web-sso, or the changes to email and NameID namgling in 46cca3f could affect the way data is stored and retrieved via scim. And only non-deterministically?! My only answer is to fall back to the theory that there was something wrong with the build, and wait for the issue to resurface to prove me wrong... :/ |
This introduces optionally case-insensitive emails. This patch keeps using case information, but it's now appearent where it could be ignored in the future, and how.
|
It looks like the problems shown above already happen on develop, and I still have no good idea what they are about. I'll move this question to another PR. |
| @@ -421,7 +427,7 @@ verdictHandlerResultCore bindCky = \case | |||
| -- This is the first SSO authentication, so we auto-create a user. We know the user | |||
| -- has not been created via SCIM because then we would've ended up in the | |||
| -- "reauthentication" branch, so we pass 'ManagedByWire'. | |||
There was a problem hiding this comment.
we remove 'ManagedByWire' here, doesn't this mean this comment should be updated?
please read commit-by-commit. two of them may be worth commenting on:
CI.CI-wrapped values in a few places (mostly email and NameID), and we just unpack it usingCI.original, which recovers all casing information. in the future, we'll have the option to treat emails case-insensitively as we're supposed to. (there is currently another, more hacky way in which we do this, see here and the internal issue.)Checklist
make git-add-cassandra-schemato update the cassandra schema documentation.